Sony's huge Hollywood hack is the tip of iceberg

Malcolm Maiden

The corporate data hack on Sony Corp has been manna from heaven for social media and the celeb-sites that feed it, but information technology bosses are not laughing. The huge data breach is another reminder for them that hackers and corporations are on intersecting, aggressive growth paths.

Hacks are becoming increasingly more sophisticated and business-like, and the boundary between sovereign espionage and corporate espionage is becoming blurry. Corporations meanwhile are increasingly inhabiting the highway hackers use – the internet – not only to interact with their customers, but to automate their businesses, and use the data they collect to lift productivity and earnings.

A hacker group that calls itself the Guardians of Peace accessed Tokyo-headquartered Sony's email, payroll database and other databases on November 25, and leaks focused on the group's movie-making subsidiary, Sony Pictures, began immediately.

They include top executive pay deals, unreleased movie scripts, medical records, criminal background checks on employees, and details about Hollywood stars including Sylvester Stallone and Judd Apatow that range from social security numbers to aliases used for hotel bookings.

Highly embarrassing email exchanges involving top Sony Pictures executives have also been published. In one of them, and angry Hollywood producer tells Sony Pictures co-chairman Amy Pascal that Angelina Jolie is a "minimally talented, spoiled brat".

The material that has created a public relations meltdown for Sony has been drawn from a 40-gigabyte data dump by the hackers, and it is not clear yet how deep a hole Sony is in: the hackers claim to have stolen 100 terrabytes from the company.

Advertisement

Nation states have spied on each other since nation states have existed, and their intelligence-gathering has moved online as the use of computers and the internet has expanded. China's hacking of Western government government sites and strategically important companies was documented in 2013, for example, and last month cyber-security experts revealed the existence of "Regin", malware that has apparently been reporting from inside government and corporate computers since at least 2008.

Regin is so sophisticated it was almost certainly created with state assistance: Russia and Saudi Arabia are the countries with the most Regin computer infections. There are no reported infections in the United States.

There are other examples of traditional, technically brilliant sovereign hacks. The Stuxnet worm that infected control systems and disabled Iranian nuclear centrifuges in 2010 is one that required jaw-dropping technical prowess.

Sony appears to be an example of a newer trend, however: single company, and perhaps single issue, attacks by state-sponsored freelance hacker groups.

The malware used to attack Sony resembles malware used in 2012 on an attack that disabled 30,000 computers in Saudi Arabia's national oil company, Aramco, and there is speculation that it and the Sony attack may have effectively been commercial sovereign sub-contracts, with the Sony contract originating in North Korea.

North Korea complained to the United Nations in July about a Sony movie called The Interview that is due for release over the Christmas period. In it, Seth Rogen and James Franco play assassins hired by the CIA to kill North Korean leader Kim Jong-un. North Korea has denied involvement in the Sony hack, but has welcomed it as a "righteous deed" carried out by someone upset about a film that encourages "a terrorist act while hurting the dignity of the supreme leadership".

There is suspicion that Iran may have also sponsored a single-issue corporate hack attack, in February this year, when Las Vegas Sands Corp's computer system was entered through a poorly defended casino outpost in Pennsylvania.

That attack caused a computer system meltdown that is estimated to have cost Las Vegas Sands $US40 million. The group is controlled by Sheldon Adelson, who has media interests in Israel, and has spoken out strongly against Iran's nuclear program.

Companies are obviously aware of the danger that hackers present. Wikileaks revealed in 2012 for example that the-then chief executive of BHP Billiton, Marius Kloppers, had told US embassy officials that he was concerned that BHP's internal communications had been compromised.

Freelance, state-sponsored, single issue corporate hacks are a new twist, however, and it comes as companies are ramping up the amount of data they collect and use.

It uses the information to make itself more efficient. Sensors on drillbits used to drill holes for the placement of explosives at mine sites are for example giving the group a much more precise picture of the ore body it is mining, and higher ore recovery ratios.

The amounts of data involved are enormous, however. In the Pilbara for example, Rio's automated trucks each have almost 200 sensors. The fleet transmits about 5 terrabytes of data a day that Rio selectively interrogates, stores and analyses.

Rio reduces its exposure to hackers by hiring top IT professionals, maintaining state-of-the art firewalls and linking its data centres directly in an intranet rather than indirectly through the internet.

It also compartmentalises its data collection, retention and analysis as far as possible. Its main mine automation centre, for the Pilbara, is located in Perth. Its main data collection and analysis centre in is Brisbane, and it runs a specialist centre to develop ways to use the metadata in India.

That's a Rolls Royce model, however. Many other companies are basically riding the internet, and there is so much data and so much more to be collected that storage in the cloud is unavoidable. There is exposure there, and it will grow as the cloud expands. Exposure too if one chink in a company's armour is weak: hackers almost always go in through the weakest point in a computer network, as Adelson's casino group discovered.

It's an escalating cyber arms race between hackers and companies, in effect. Companies are ramping up their spending on data collection, retention and analysis because it creates productivity gains that keep them competitive - but as they do, they are going to have spend increasing amounts on data defence, too.